Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-4167] Add PRF attestation flow during passkey registration #3339

Merged
merged 11 commits into from
Nov 7, 2023
Merged

[PM-4167] Add PRF attestation flow during passkey registration #3339

merged 11 commits into from
Nov 7, 2023

Conversation

coroiu
Copy link
Contributor

@coroiu coroiu commented Oct 12, 2023
edited
Loading

Type of change

- [ ] Bug fix
- [x] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Allow users to create and register all necessary keys to allow vault decryption using a passkey

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@coroiu coroiu changed the base branch from master to fido2 October 12, 2023 12:35
@coroiu coroiu force-pushed the PM-4167-add-prf-attestation-flow-during-passkey-registration-server branch from 3ba6c73 to 4f0e15b Compare October 12, 2023 12:42
@bitwarden-bot
Copy link

bitwarden-bot commented Oct 12, 2023
edited
Loading

Logo
Checkmarx One – Scan Summary & Details9891f15f-17c6-4140-96fe-da20c4919e19

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 789 Attack Vector
MEDIUM Privacy_Violation /src/Core/Services/Implementations/UserService.cs: 789 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 368
MEDIUM CSRF /src/Api/Controllers/AccountsController.cs: 254
MEDIUM Healthcheck Not Set /docker-compose.yml: 4
MEDIUM Healthcheck Not Set /docker-compose.yml: 11
MEDIUM Healthcheck Not Set /docker-compose.override.yml: 4
MEDIUM Healthcheck Not Set /docker-compose.yml: 26
MEDIUM Host Namespace is Shared /docker-compose.override.yml: 4
MEDIUM Host Namespace is Shared /docker-compose.yml: 26
MEDIUM Host Namespace is Shared /docker-compose.yml: 4
MEDIUM Host Namespace is Shared /docker-compose.yml: 11
MEDIUM Memory Not Limited /docker-compose.yml: 4
MEDIUM Memory Not Limited /docker-compose.yml: 11
MEDIUM Memory Not Limited /docker-compose.yml: 26
MEDIUM Memory Not Limited /docker-compose.override.yml: 4
MEDIUM Networks Not Set /docker-compose.yml: 11
MEDIUM Networks Not Set /docker-compose.override.yml: 4
MEDIUM Networks Not Set /docker-compose.yml: 26
MEDIUM Networks Not Set /docker-compose.yml: 4
MEDIUM Privacy_Violation /src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59
MEDIUM Privacy_Violation /src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59
MEDIUM Security Opt Not Set /docker-compose.yml: 4
MEDIUM Security Opt Not Set /docker-compose.yml: 11
MEDIUM Security Opt Not Set /docker-compose.override.yml: 4
MEDIUM Security Opt Not Set /docker-compose.yml: 26
LOW Container Capabilities Unrestricted /docker-compose.yml: 26
LOW Container Capabilities Unrestricted /docker-compose.override.yml: 4
LOW Container Capabilities Unrestricted /docker-compose.yml: 4
LOW Container Capabilities Unrestricted /docker-compose.yml: 11
LOW Cpus Not Limited /docker-compose.override.yml: 4
LOW Cpus Not Limited /docker-compose.yml: 11
LOW Cpus Not Limited /docker-compose.yml: 4
LOW Cpus Not Limited /docker-compose.yml: 26
LOW Log_Forging /src/Billing/Controllers/PayPalController.cs: 64
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 197
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 211
LOW Log_Forging /src/Api/Controllers/AccountsController.cs: 110
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 211
LOW Log_Forging /src/Api/Controllers/AccountsController.cs: 110
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 197
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 211
LOW Log_Forging /src/Api/Controllers/AccountsController.cs: 110
LOW Log_Forging /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 197
LOW Log_Forging /src/Api/AdminConsole/Controllers/PoliciesController.cs: 91
LOW Log_Forging /src/Api/AdminConsole/Controllers/PoliciesController.cs: 91
LOW Log_Forging /src/Api/AdminConsole/Controllers/PoliciesController.cs: 91
LOW Use_Of_Hardcoded_Password /test/Core.Test/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommandTests.cs: 61

@coroiu coroiu force-pushed the PM-4167-add-prf-attestation-flow-during-passkey-registration-server branch 2 times, most recently from 696638e to 083b342 Compare October 16, 2023 12:26
Base automatically changed from fido2 to master October 30, 2023 13:40
@coroiu coroiu force-pushed the PM-4167-add-prf-attestation-flow-during-passkey-registration-server branch from 083b342 to 6c31877 Compare November 1, 2023 08:36
@coroiu coroiu force-pushed the PM-4167-add-prf-attestation-flow-during-passkey-registration-server branch from 6c31877 to 5e589ae Compare November 1, 2023 09:52
@coroiu coroiu marked this pull request as ready for review November 1, 2023 09:53
@coroiu coroiu requested review from a team as code owners November 1, 2023 09:53
@coroiu coroiu requested a review from andrebispo5 November 1, 2023 09:53
@ike-kottlowski ike-kottlowski self-requested a review November 1, 2023 14:40
@jlf0dev jlf0dev self-requested a review November 1, 2023 15:11
withinfocus
withinfocus reviewed Nov 1, 2023
View reviewed changes
src/Core/Services/IUserService.cs Outdated
@@ -28,7 +28,7 @@ public interface IUserService
Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, bool supportsPrf, string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎨 Could these new parameters move to the end and be optional? For non-PRF default assumptions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could also consider making a data model for all these parameters and build it from the response model.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed! I'll look into the model approach in my refactor task, where I'll convert these functions to commands!

@withinfocus withinfocus requested a review from a team November 1, 2023 15:37
jlf0dev
jlf0dev reviewed Nov 1, 2023
View reviewed changes
Copy link
Member

@jlf0dev jlf0dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I'll wait to approve until @ike-kottlowski gets a chance as well 👍

src/Core/Auth/Entities/WebAuthnCredential.cs Outdated
Comment on lines 39 to 48
if (SupportsPrf && EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
{
return WebAuthnPrfStatus.Enabled;
}
else if (SupportsPrf)
{
return WebAuthnPrfStatus.Supported;
}

return WebAuthnPrfStatus.Unsupported;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit (non-blocking): just a tiny suggestion for readability

Suggested change
if (SupportsPrf && EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
{
return WebAuthnPrfStatus.Enabled;
}
else if (SupportsPrf)
{
return WebAuthnPrfStatus.Supported;
}
return WebAuthnPrfStatus.Unsupported;
if (!SupportsPrf)
{
return WebAuthnPrfStatus.Unsupported;
}
if (EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
{
return WebAuthnPrfStatus.Enabled;
}
return WebAuthnPrfStatus.Supported;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed!

src/Core/Services/IUserService.cs Outdated
@@ -28,7 +28,7 @@ public interface IUserService
Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, bool supportsPrf, string encryptedUserKey, string encryptedPublicKey, string encryptedPrivateKey, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could also consider making a data model for all these parameters and build it from the response model.

ike-kottlowski
ike-kottlowski previously approved these changes Nov 1, 2023
View reviewed changes
Copy link
Contributor

@ike-kottlowski ike-kottlowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. No notes.

jlf0dev
jlf0dev previously approved these changes Nov 7, 2023
View reviewed changes
@coroiu coroiu dismissed stale reviews from jlf0dev and ike-kottlowski via 71e67e5 November 7, 2023 14:56
@coroiu coroiu requested a review from jlf0dev November 7, 2023 14:57
@coroiu coroiu merged commit e401fc0 into master Nov 7, 2023
40 checks passed
@coroiu coroiu deleted the PM-4167-add-prf-attestation-flow-during-passkey-registration-server branch November 7, 2023 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@withinfocus withinfocus withinfocus left review comments

@jlf0dev jlf0dev jlf0dev approved these changes

@ike-kottlowski ike-kottlowski ike-kottlowski left review comments

@andrebispo5 andrebispo5 Awaiting requested review from andrebispo5 andrebispo5 was automatically assigned from bitwarden/team-auth-dev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@coroiu @bitwarden-bot @withinfocus @jlf0dev @ike-kottlowski